NETWORK PENETRATION TESTING

Service Summary

Defend Your Perimeter

We are proven experts in network infrastructure penetration testing based on the PCI DSS requirements or addressing specific risk concerns of our clients. We cover a full port, protocol and service enumeration followed by a vulnerability assessment of the supporting servers. Our security team performs both internal (as a system user) and external (as an outsider) penetration testing to provide an exhaustive range of attack scenarios.

Clients Cases

An Australian based Payment Processing Solutions provider to financial institutions, governments and the corporate organizations.

We performed the penetration test procedures for the external access points and noted all vulnerabilities in the services and supporting servers. We then obtained VPN access and performed the internal security assessment where we noted encryption weaknesses, server vulnerabilities and configuration issues.

Value Added:

The client obtained assurance over the state of the internal and external network security and provided our reports to the PCI QSA auditors as part of the yearly process to update their PCI compliance.

A large financial holdings institution located in Zimbabwe with many branches across the country consisting of a bank, an insurance company and sales stores.

Project Requirements:

The client requested an external and internal network layer penetration test covering all branches and business units.

Penetration Testing Service:

We performed the penetration test procedures for the external access points and noted all vulnerabilities in the services and supporting servers. We then obtained VPN access and performed the internal security assessment where we noted encryption weaknesses, server vulnerabilities and configuration issues.

Value Added:

The client obtained assurance over the state of the internal and external network security and developed a vulnerability management program to allow for business growth while maintaining security levels across the board.

A Canadian-based, international mining company engaged in the acquisition, exploration, development and mining of precious metal properties.

Project Requirements:

The clients required an external penetration test with specific risk considerations for their VOIP infrastructure.

Penetration Testing Service:

We performed the standard network layer test and then used system specific testing tools to get into the network and try access the VOIP connections. Our report provided insight and understanding on how to address the specific risk concerns.

Value Added:

The client gained a clear understanding of the risks associated with their network environment and business services. A timely security strategy was developed to address these risks and provide assurance over the confidentiality and integrity of their data. The client continues to use our services as part of their vulnerability management program.

Process Description

The initial preparation includes the setting of the test scope, testing hours and testing techniques to use. The scope is simply the number of critical systems that the management has decided to test and prepare for any malicious attack scenario. The testing times are usually during off-peak hours from 8PM - 6AM so that there is no noticeable processing disruptions. In many cases the penetration tests are run on a test environment before the systems "go-live" for public use.
The techniques used during the testing are also an important factor as many clients and standards require different tests to be run.

After agreeing on these terms the penetration test can begin. A general penetration test comprises of an external penetration test, as an outsider to the business (blackbox testing), and an internal network security review as an insider, employee or system user (whitebox testing). An external network penetration test comprises of the following steps:

This is a process of gathering information on the target from publicly available resources.

Once familiar with the target IPs we can begin the network mapping by initiating various port and service scans for each of the targets.

This is an automated process where a scanner is used to target the host(s) with a vast database of exploits for the discovered systems and services from the previous stage.

From the results of the previous phase the tester needs to verify if the vulnerabilities are really true. This is done by taking the actual scripts and running them against the target hosts.

A management summary stating all critical issues as well as a detailed technical report of all the vulnerabilities with a risk and impact rating and recommendations for their resolution.

The internal network security review is a similar process however the tester runs the tests from inside the network and with user level access to the systems and the applications in scope. Additionally to the activities described above the internal testing also includes:

Network Traffic / Encryption Review - this process is done by capturing the network traffic with a tool like Wireshark and running various filters on the traffic dump file to obtain user IDs, passwords, encrypted passwords, web traffic, browsing history and other information depending on the requirements of the project.

Security Configuration Review - the configuration review is a process where the tester verifies that all configuration settings in the domain server / web server / firewall / application server / etc.. are configured in line with the best practice requirements.

An "average" test takes about 2 weeks for the external testing and another 2 weeks for the internal security review procedures. This is a general estimate based on limited daily testing hours and an enterprise IT environment with numerous network and application system components to be tested. The deliverable consists of a detailed report stating all the network layer vulnerabilities with their corresponding impact and recommendations for their resolution.

Contacts

NetSafety is a global information security consulting firm with a head office base in Sofia, Bulgaria and partner offices in Johannesburg, South Africa. Many successful projects across Europe, UK, Africa and Australia provide a proven professional track record and guarantee the high quality of our services.